Most cyber risk management is done qualitatively, which prevents the comparison of cyber risk to other types of organizational risk. Our research uses probabilistic risk analysis (PRA) to quantitatively assess cyber risk in organizations (in dollar terms). We outline a portfolio of tools and techniques to assess different cyber risks. For example, we use probabilistic inputs to determine if full disk encryption is cost effective, given the rate of laptop thefts and data disclosures. Our quantitative framework allows explicit trade-offs between high-frequency, low cost incidents and low-frequency, high cost incidents.